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METHOD FOR MONITORING A FIELD DEVICE 

The invention relates to a method for monitoring a field device as 
defined in the preamble of claim 1. 

5 

In process automation technology, field devices are often used for the 
registering and/or influencing of process variables. Examples of such 
field devices are fill level measuring devices, mass flow measuring 
devices, pressure and temperature measuring devices, pH-redox 
10 potential measuring devices, conductivity measuring devices, etc, 
which, as sensors, register the corresponding process variables fill 
level, flow rate, pressure, temperature, pH-value and conductivity. 

Besides such measuring devices, systems are also known, which, 
15 along with the measuring function, also perform other tasks; examples 
that can be named here are electrode cleaning systems, calibration 
systems, and sample takers. 

Also referred to as field devices are input/output units, so-called 
20 remote l/Os. 

Serving for the influencing of process variables are field devices 
referred to as actuators, e.g. valves, which control the flow rate of a 
liquid in a section of pipeline, or pumps, which influence fill level in a 
25 container. 



The firm Endress + Hauser® manufactures and sells a large number of 
such field devices. 
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Field devices in modern manufacturing plants are frequently connected 
with superordinated units, e.g. control systems or control units, via a 
field bus system (Profibus®, Foundation®-fieldbus, HART®, etc.). 
These superordinated units serve for process control, process 
5 visualization, process monitoring, as well as for operating and 
monitoring of the field devices. From the superordinated units, 
communication connections to further company networks are also 
possible. 

10 For operating field devices, corresponding operating programs 
(operating tools) are required in the control system, or in the control 
unit, as the case may be. These operating programs can run 
independently or they can be integrated into control-system 
applications. 

15 

The sensors deliver measured values corresponding to the current 
value of the registered process variable. These measured values are 
forwarded to a control unit, e.g. a PLC (programmable logic controller). 

20 As a rule, process control occurs from the control unit, where the 
measured values of different field devices are evaluated and, on the 
basis of the evaluation, control signals for the corresponding actuators 
are produced. Besides pure, measured value transmission, field 
devices can also transmit additional information (diagnosis, status, 

25 etc.). Parametering and configuring of the field devices occurs, 
likewise, via the field bus system. 

The field bus system is referred to also as the process control system. 
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Requirements for safety in process control systems are becoming ever 
stricter. Therefore, in many enterprises, process control systems are 
strictly separated from other company networks (SAP, business). In 
this way, unauthorized access to field devices is to be prevented. At 
the moment, efforts are being concentrated on safety in process 
control systems at the network level. 

For preventing intrusions from outside the company, so-called firewalls 
are used. Besides intrusions from outside of the company, likewise 
dangerous are unauthorized intrusions from within a company. In the 
case of company-internal intrusions, e.g. parameters can be changed 
in the field devices, or the entire control strategy can be changed. 
Thus can lead to undesired changes in the production process. 

A control strategy can be produced e.g. with the FieldCare® system of 
the firm Endress + Hauser and loaded into the field devices. 

Programs, which enable parametering, configuring and a changing of 
the control strategy (SCADA-systems or configuration tools) are 
usually equipped with a password protection. In such case, also an 
authorizing of the personnel who perform changes is necessary. 

For example, in the case of the Centum CS 1000 process control 
system of Yokogawa, critical function blocks, which run e.g. in field 
devices, can only be changed via input of two pass words of different 
persons. 

In the case of the firm Endress + Hauser, safety protection against 
unauthorized changing of parameters in field devices is provided by a 
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locking. The person who wants to make changes must input a code at 
the field device, before changes in the field device become possible. 

Field devices used in process control systems normally are equipped 
with microprocessors and accompanying peripheral components. 

Therefore, it is not possible to exclude the possibility that hardware, or 
software, or even just parts thereof, might be replaced, or changed, in 
a field device without authorization. A tampering of this kind would not 
be recognized by a process control system. Yet, measures such as 
these represent a significant intrusion into the process flow, or control 
strategy. 

Especially also for reasons of laws and regulations, it is important for a 
plant operator that a tamper-safe process flow be assured. 

An object of the invention, therefore, is to provide a method for field 
device monitoring that does not enable unauthorized tampering with 
field devices. 

This object is achieved by the features given in claim 1. Advantageous 
further developments of the invention are presented in the dependent 
claims. 

An essential idea of the invention is that a control unit, which is 
connected with the field device via a field bus, requests, at intervals in 
time, an individual identifier of the field device and compares this with 
an identifier stored in the control unit. By this query, a replacement of 
the hardware, or software, or parts thereof, is immediately noticed. 
The method of the invention is especially significant with respect to the 
validatability of a plant. 
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In simple manner, the individual identifier can be the serial number of 
the field device. In an alternative embodiment of the invention, the 
individual identifier can be a key in the device firmware of the field 
device. 

One option is also to use as an individual identifier a memory-unit test 
sum stored in the field device. 

For enabling a reliable record keeping for the plant, the requested 
identifier of each query is stored in a database along with a 
corresponding time stamp. 

A sensible variation is to store the identifier in the database only when 
it is determined that the identifier has changed. 

Since a tampering with a field device must be reported immediately to 
the operating personnel, when a change in the identifier of a field 
device is discovered, an alarm or warning is produced. 

Since also operationally required changes must also be effected in the 
field device, alarms or incidents should only be produced, when the 
changes occur outside of specified maintenance time periods. Or 
when the maintenance was explicitly allowed/planned. 

The invention will now be explained in greater detail on the basis of an 
example of an embodiment illustrated in the drawing, the sole figure of 
which shows as follows: 

Fig. 1 schematic illustration of a process automation network. 
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Fig. 1 shows a network of process automation technology in greater 
detail. Connected to a databus D1 are a plurality of process control 
systems, or control units (work stations WS1, WS2), which serve for 
process visualization, process monitoring, and engineering. Databus 
D1 works e.g. according to the HSE (High Speed Ethernet) standard of 
the Foundation fieldbus. Via a gateway G1, which is also referred to 
as a linking device, the databus D1 is connected with a fieldbus 
segment SM1. The fieldbus segment SM1 is composed of a plurality 
of field devices F1, F2, F3, F4, which are connected together via a 
fieldbus FB. The fieldbus works e.g. according to the Foundation® 
fieldbus standard. 

The method of the invention will now be explained in greater detail. 

The control unit WS1 requests, at intervals in time, an individual 
identifier of e.g. the field device F1. Due to the query, the field device 
F1 sends its individual identifier to the control unit WS1. In the control 
unit WS1, this individual identifier is compared with an individual 
identifier stored in the control unit WS1. If the identifier transmitted by 
the field device agrees with the individual identifier stored in the control 
unit, then it is assured that no unauthorized tamperings have been 
performed with regard to the hard-, or soft-, ware, as the case may be, 
of the field device. In this way, a validating of the process flow is 
possible. Examples of individual identifiers are the serial number of 
the field device F1 or a key in the device software. The control unit 
WS1 is connected with an external database, in which each query is 
recorded, along with a time stamp. In this way, documentation over an 
extended period of time is possible. 
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In an alternative embodiment of the invention, storage in the database 
only occurs, when the control unit WS1 detects that the identifier has 
changed. 

5 As a rule, maintenance work is performed in an automated plant during 
exactly specified periods of time. For preventing false alarms, alarms 
are only produced, when they lie outside of these specified periods of 
time for maintenance. 

10 An alarm can be displayed at the control unit WS1 or also forwarded 
via alternative paths, e.g. eMail, SMS and fax, to the responsible 
stations. 

In a very simple embodiment, it is only monitored in the control unit, 
15 whether the field device of concern, e.g. F1 , is connected with the field 
bus and is capable of functioning. For this purpose, control unit WS1 
directs a query to the field device F1, requiring an answer from the field 
device F1. If the field device does not answer, then the absence is 
stored in the database. 



